Adam Turner

We've long been told that choosing ''strong'' passwords is the key to online security. It's important to choose a password that's long and complicated, with upper- and lower-case letters as well as numbers and symbols. Your password should be easy for you to remember but difficult for a person to guess or a computer to crack by brute force.

It's good advice, but unfortunately a strong password isn't always enough to keep you safe. A growing number of services, such as Facebook, have added two-factor authentication - asking for more than just your password to prove that you're really you.

Two-factor authentication relies on both something you know and something you have, helping keep out hackers even if they discover your password. Other services offering two-factor authentication include Google, Apple, Microsoft, Yahoo!, Twitter, Evernote, Dropbox and LastPass.

If the thought of someone breaking into any of these accounts fills you with dread then you should check out their two-factor authentication options.

Advertisement

It sounds awkward but you already use two-factor authentication every time you withdraw money from an ATM. The something you know is your four-digit PIN and the something you have is your bank card. You can't get your money out with just one, you need to present both at the same time. When it comes to online security, the something you know is your password and the something you have can be your phone. You can ask Facebook and other services to send a one-off code in a text message the first time you login from a new computer or mobile device. You'll need to enter both your password and the unique code to login.

At this point, most services give you the option to mark that particular device as ''trusted'', so you don't need to enter a code every time you login from your own computer or smartphone.

Two-factor authentication is a simple enough idea but unfortunately online services have different names for it and implement it in different ways. Google and Apple call it ''two-step verification'', while Facebook calls it ''login approval'' and with Yahoo! it's ''second sign-in verification''. Each has its own guide to setting it up, but it can take time to sort everything out - especially if you need to generate one-off passwords for devices, applications or services that won't accept two-factor logins.

If you rely on Google's email, calendar, contacts and online office suite then it will take you a while to configure two-factor authentication across all of your devices. Setting it up the night before you go on holidays is probably a bad idea: you'll want to leave yourself some time to get your head around the idea before you're at its mercy.

The Achilles heel of two-factor authentication is that you're now at the mercy of your mobile phone reception. If the text message can't get through because you're out of range or in a coverage black spot, then you're left in the lurch. Some services, such as Google and Facebook, offer a fail safe, letting you use an app on your phone to generate the code. Google's Authenticator app also works with a range of other two-factor authentication services.

Of all the two-factor authentication options, Twitter's is the most disappointing, especially for Australians. Twitter will only send text messages to Telstra users, so you're out of luck if you're on the Vodafone or Optus network.

Even if you're with Telstra, you'll soon discover that Twitter's two-factor authentication only works with the twitter.com website - which is pretty disappointing considering many people use third-party Twitter apps. Even if you can live with these restrictions you'll be frustrated to find that you can't tell Twitter to remember your trusted devices, so you need to enter in a new code every time you login to twitter.com. This means that for most people, Twitter's two-factor authentication will be more trouble than it's worth.